New ESET research into Turla’s malicious toolkit – GDPR turns two – Critical flaw in Android devices
The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
And most people don’t change their password even after hearing about a breach, a survey finds
The post People know reusing passwords is risky – then do it anyway appeared first on WeLiveSecurity
At Google, we’ve always believed in the benefits and importance of using open source technologies to innovate. We enjoy being a part of the community and we want to give back in new ways. As part of this effort, we are excited to announce an expansion of our Google Vulnerability Rewards Program (VRP) to cover all the critical open-source dependencies of Google Kubernetes Engine (GKE). We have designed this expansion with the goal of incentivizing the security community to work even more closely with open source projects, supporting the maintainers whose work we all rely on.
The CNCF, in partnership with Google, recently announced a bug bounty program for Kubernetes that pays up to $10,000 for vulnerabilities discovered within the project. And today, in addition to that, we are expanding the scope of the Google VRP program to also include privilege escalation bugs in a hardened GKE lab cluster we’ve set up for this purpose. This will cover exploitable vulnerabilities in all dependencies that can lead to a node compromise, such as privilege escalation bugs in the Linux kernel, as well as in the underlying hardware or other components of our infrastructure that could allow for privilege escalation inside a GKE cluster.
How it works
We have set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF. Participants will be required to:
We have set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF. Participants will be required to:
- Break out of a containerized environment running on a Kubernetes pod and,
- Read one of two secret flags: One flag is on the same pod, and the other one is in another Kubernetes pod in a different namespace.
Flags will be changed often, and participants need to submit the secret flag as proof of successful exploitation. The lab environment does not store any data (such as the commands or files used to exploit it), so participants need the flags to demonstrate they were able to compromise it.
The rewards will work in the following way:
- Bugs that affect the lab GKE environment that can lead to stealing both flags will be rewarded up to 10,000 USD, but we will review each report on a case-by-case basis. Any vulnerabilities are in scope, regardless of where they are: Linux, Kubernetes, kCTF, Google, or any other dependency. Instructions on how to submit the flags and exploits are available here.
- Bugs that are 100% in Google code, qualify for an additional Google VRP reward.
- Bugs that are 100% in Kubernetes code, qualify for an additional CNCF Kubernetes reward.
Any vulnerabilities found outside of GKE (like Kubernetes or the Linux kernel) should be reported to the corresponding upstream project security teams. To make this program expansion as efficient as possible for the maintainers, we will only reward vulnerabilities shown to be exploitable by stealing a flag. If your exploit relies on something in upstream Kubernetes, the Linux Kernel, or any other dependency, you need to report it there first, get it resolved, and then report it to Google. See instructions here.
The GKE lab environment is built on top of a CTF infrastructure that we just open-sourced on GitHub. The infrastructure is new, and we are looking forward to receiving feedback from the community before it can be actively used in CTF competitions. By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems.
In March 2020, we announced the winner for the first Google Cloud Platform (GCP) VRP Prize and since then we have seen increased interest and research happening on Google Cloud. With this new initiative, we hope to bring even more awareness to Google Cloud by experienced security researchers, so we can all work together to secure our shared open-source foundations.
At Google, we’ve always believed in the benefits and importance of using open source technologies to innovate. We enjoy being a part of the community and we want to give back in new ways. As part of this effort, we are excited to announce an expansion of our Google Vulnerability Rewards Program (VRP) to cover all the critical open-source dependencies of Google Kubernetes Engine (GKE). We have designed this expansion with the goal of incentivizing the security community to work even more closely with open source projects, supporting the maintainers whose work we all rely on.
The CNCF, in partnership with Google, recently announced a bug bounty program for Kubernetes that pays up to $10,000 for vulnerabilities discovered within the project. And today, in addition to that, we are expanding the scope of the Google VRP program to also include privilege escalation bugs in a hardened GKE lab cluster we’ve set up for this purpose. This will cover exploitable vulnerabilities in all dependencies that can lead to a node compromise, such as privilege escalation bugs in the Linux kernel, as well as in the underlying hardware or other components of our infrastructure that could allow for privilege escalation inside a GKE cluster.
How it works
We have set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF. Participants will be required to:
We have set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF. Participants will be required to:
- Break out of a containerized environment running on a Kubernetes pod and,
- Read one of two secret flags: One flag is on the same pod, and the other one is in another Kubernetes pod in a different namespace.
Flags will be changed often, and participants need to submit the secret flag as proof of successful exploitation. The lab environment does not store any data (such as the commands or files used to exploit it), so participants need the flags to demonstrate they were able to compromise it.
The rewards will work in the following way:
- Bugs that affect the lab GKE environment that can lead to stealing both flags will be rewarded up to 10,000 USD, but we will review each report on a case-by-case basis. Any vulnerabilities are in scope, regardless of where they are: Linux, Kubernetes, kCTF, Google, or any other dependency. Instructions on how to submit the flags and exploits are available here.
- Bugs that are 100% in Google code, qualify for an additional Google VRP reward.
- Bugs that are 100% in Kubernetes code, qualify for an additional CNCF Kubernetes reward.
Any vulnerabilities found outside of GKE (like Kubernetes or the Linux kernel) should be reported to the corresponding upstream project security teams. To make this program expansion as efficient as possible for the maintainers, we will only reward vulnerabilities shown to be exploitable by stealing a flag. If your exploit relies on something in upstream Kubernetes, the Linux Kernel, or any other dependency, you need to report it there first, get it resolved, and then report it to Google. See instructions here.
The GKE lab environment is built on top of a CTF infrastructure that we just open-sourced on GitHub. The infrastructure is new, and we are looking forward to receiving feedback from the community before it can be actively used in CTF competitions. By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems.
In March 2020, we announced the winner for the first Google Cloud Platform (GCP) VRP Prize and since then we have seen increased interest and research happening on Google Cloud. With this new initiative, we hope to bring even more awareness to Google Cloud by experienced security researchers, so we can all work together to secure our shared open-source foundations.
Left unpatched, the vulnerability could expose almost all Android users to the risk of having their personal data intercepted by attackers
The post Critical Android flaw lets attackers hijack almost any app, steal data appeared first on WeLiveSecurity
A hack-and-extort campaign takes aim at poorly secured databases replete with customer information that can be exploited for further attacks
The post Crooks threaten to leak customer data stolen from e‑commerce sites appeared first on WeLiveSecurity
Turla has updated its ComRAT backdoor and now uses the Gmail web interface for Command and Control
The post From Agent.BTZ to ComRAT v4: A ten‑year journey appeared first on WeLiveSecurity
Has the landmark law helped build a culture of privacy in organizations and have consumers become more wary of sharing their personal data?
The post Two years later, has GDPR fulfilled its promise? appeared first on WeLiveSecurity
ESET research into Winnti Group’s new backdoor – A dangerous Android app under the microscope – The BIAS Bluetooth bug
The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security
The post Insidious Android malware gives up all malicious features but one to gain stealth appeared first on WeLiveSecurity
Easy Contact
253 Main Ave, Passaic NJ 07055Call 973-777-5656
info@advantagecomputers.com
Fax 973-777-5821
© 2025 ~ All Rights Reserved
Advantage Computer Solutions, Inc